As Ryan points out, root store operators enforce the BRs in different ways.
> (Writing in an official capacity for the Google/Chrome Root Program)
> Our expectation is that CAs will be filing incident reports for:
> 1) The failure to include and document as in-scope within the relevant
> 2) If the CA fails to revoke within the time period required by the
> the failure to revoke within the BR time period
> As two separate reports.
> We encourage CAs to carefully examine these reports and provide
> updates as
> to their planned revocations.
My understanding is that Google’s root store expectations differ from
Mozilla’s root store expectations regarding handling of
non-technically-constrained intermediate certificates missing BR audits
in 2 ways.
1) Mozilla is currently okay with the incident report for not revoking
the non-BR-audited non-technically-constrained intermediate certificates
to be handled in the same Bugzilla bug as the missing-audits incident
report. However, I interpret Ryan’s message to mean that Google would
like those to be two separate Bugzilla Bugs.
Note: I will add a report to
wiki.mozilla.org/CA/Intermediate_Certificates to list all of the
intermediate certificates that have been added to OneCRL and their
revocation status. This will enable the CA Community to identify which
certificates have been added to OneCRL but are not actually revoked.
2) From Mozilla’s perspective, adding a non-technically-constrained
intermediate certificate to Mozilla’s OneCRL (only consumed by Firefox)
means that the BRs become out of scope for that certificate. So Mozilla
does not require that certificate to be revoked.
dev-security-policy mailing list